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(57) Abstract: 

PROBLEM TO BE SOLVED: To provide the high speed 
packet filtering system that pre-vents a 3rd party from 
illegally intruding the internet VPN. 

SOLUTION: The system is provided with a direct path 
connecting directly with a private network from the 
packet filter system 102, and a fire wall path via a 
firewall 106. The packet filter system 102 adds 
predetermined authentication information to a data 
packet received from a private network and sends the 
resulting packet to a public network and also sends the 
data packet received from the firewall 106 to the public 
network. The system 102 discriminates whether or not the 
data packet received from the public network is a data 
packet to which the authentication information is added. 
When the data packet is a packet to which the 
authentication information is added, the authentication 
information is eliminated from the packet and the 
resulting data packet is sent to the private network. 
When the data packet is not a packet to which the 
authentication information is added, the resulting data 



packet is sent to the firewall 106. 
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[ it^ii i ] 7 r >f * -/ps- mt h %kwm&&w& 
mmmmrnix^m L*ZT-f** -y h t#> 

-y h £1ulE£rM£ ^gP*^BfflB^"fflC3MfI-r 
£y^y BufE^tgi^T'^IL^T 1 '- 
y h#\ lulEISIiElf^^WJP^iX/tx-^^^-y 
h T h h frt£\ & ¥'M L . IWEISiEW«3&«#aP $ titz 

E&RSMEtfft* 4> Sir- ^n**- y h SrMfi U fflBfg 
im##WflD$ix^x-^^-y ht^rJ-mii' MIE7 r 

*$ wt , mmm.mm iznm-t h %mx -mm §r ib*t 

iEISMfc . BulBISaE^f- WfgSr. MIEfSKE 

mztm-thms.* -mm** h mmmmm & # js-r & 

ffr£#F$fc. ffiEf&S^KfcJ: 9ffr££*i.fci8IEtiMB£ 
ffifie-r-*/^ -y h^^.^ t»3&6fc««fcW*rt-* 

mm., 

[ If *Jff4 ] If im 2 fcKtt W -y h 7 ^ )V?mWiz 
H WC , mil By ^7 M>5^ tt^Sii: , HulB-f - * ' ^ 
•y h*^iSSEffi^^i*ajL, SBSglEtiMRa*. lulBISU 

m^Cli:^#S!£i:-ri»/^-y b7^;^gS. 
[ff*J15 ] BWWIlfciatt^^ - y h 7 < /l^iilffifc: 
*J we . «a»<07*5 <- h * -y h fc»^*flWE8JR 

W5^^-b^7h7-?^ fctt J&t & SgfEflWB 
6 . SKBBHWB m&UBHgflBSfeHBr L , 
1 18*11 6 ] 11*31 5 CfBtttfV**- -y h 7 ^ )V?Wmz 



[ If *JB 7 3 tff*JB 5 i fcii 6 fcKttflV "«r yh?A>l> 

v&*izwm?&immmizttm-?zmm*-mmz& 
«im-tum*-tm$®.t . HuiBisiiE^-ffl^^ 

* Sr. HuiB!SfI^~fB1i¥StlSS-r^.!SSE^-ISS# 
SHE. 

[ff*ilS] y^-y h<7)jMff7ctc^-?Ty^-y h^iSO 
Wtl»^7h7-f;i'^iffc- 5 t, HufE3lft7c*^ 
y y h 1 OftgMBi: , HufBy^ y 

h^tB73-r-l»m2i3j;t/^3<7)^g|5i, miE»10Sf 
fiK»"C3Sfi L^/^ y W>se»fcaMi 7cs&»4> 

iMft$fL7t>N'^-y hTfc^j&^v^SrJpJISrU. milB*^ 

0^g&a»4>^Kx-*;^-y hSri^fiL, mrlBfc^* 1 
t^^^jlfiTC* 5 4> <F» -y h T-^r»tii{f MIBIg 3 
i»^Iif-^^^7 hS-iMfi$^5y^-y hM 

[it*Ji9 ] if*iR8 iztrnm^r -y h y a )v?mmz 
-y i commm^mm^^h^ 

■y h!(g5M¥S$:§ Mz^&Z. k ^Wk^rh^-v V 
7<fr?mW. 

[ff*JBl 0 ) y^-y hcOiUfiTC^oTyN-^-y h^JS 
D»ftl»A77 h7^^ggTfcot, fflBiHfl7n^ 
feyc^r .y h ?ti6c7)m 1 OS^SPi . 

cput, mum i ommmx'&m Law y h&*> h 

•y hT*il{f. BUiE^2<7)J#^g|5*^SfgT-^y^-y 

h -C'^ttixJf lulEm 3 cr>tmM^ h *£&r~jr >y h 
Sr3Hfi§-fri.^<7)7'a^7A$rlE1S-r-l.^ : E U ar* 

tif*iii 1 3 timmmmzix. ms^ltw 

M-y ^STflf^^-frS/SftOV^-y b7 

l.y^ -y hffi 0^{t«^«>^l2IE#-ffilBS:iM^&B 
mv-^X'fo-oX . MIE/^ y h 7 ;u^«a»«SKB 

•y h7-f;U^ilH^LTMIE7 , 7-<^-h^>y N7- 
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h <r t * mm t -r h mm-v-; 

mmmmfrh%m uz^-9^ . y h t«>« 

i: . 1*127 r -f 7^=f-M^giLitf-^A^ y h 
-t&rtdr >y h 7 4 )V9 V 

imtmi 3] It^Jll 2£i5tt*>X^-y7*S:ffl$88yi 
[0001] 

Tf-^7f57 -r/l/* y>^*««W*9. ft 

7 * )v? v >y*m&xf%<?>mw$:W&i-hi>c?>x'fo 

[0002] 

im&cmm im, &mmzm^xu.imz*ti?ti 

WML, *UBdttOim{t*9&tt&<t >?-*v bvPN 
(Virtual Private Network) Ofi^^/UC&D'?'? 

[0003] £^J: 3&P]jfflj££*f LT , =gcL— tf>\ 

<-t&zk&*itfcv$>&. mz, #ttioiwt#as- 

Mr? 5 jl— ^r— S^a V1996.6.17 No. 224<O86H~100H 

[0004] .I<7M hVPNCOlvtl212£# 

[0005] Eai2(C*JV^T, aiSSHAlOl-ltfilSaiBlOl 

-/WA106-1&1/7 r -f * -;l*106-2£4r 
i03fe:-etL-f iiSfa$<t« . 7 r-f T*7 =r-^Ai06-i/3. 
1X7 r A TV * -;PB106-2t4 . Bf^fk#SSrfl»i. 4 



[0006] Witf, IHWaA104-l*^t»«B104-2i: ii 
[0007] tiUffiAU. lt»lSB(C^Lrx-^y^-y 

[ 0 0 0 S ] «fft$^f-^AiT7 hti, 4^R«HS: 
^^77^7-)* -;PBfcjM^ii§ . 
[0 00 9] 7T4TV*—)W?te* f-^^ 7 h 

tofJ&tt.&ffo. itc. 7-'-f'*7-vh<7y\>yymzm 

ZJ-x. '•/ 9 LX s T^-bX"Tf|g^tf3WBfcJ|a||Bf 

-fex kJp JIBt L3t*&. fHMSBfcttx- y h ^iM 

[0010JSC. Hl3Sr#ML-T7 r-fr >7*-;H0 
60rtSfiMt£t&HJ§-t-g.. H13(C. 7r^T«7*-;H06 

106{i. ^-y hV-^Wg^§n-5»AI±i^¥S130K B§ 
#-ftfc«tU ; "fa-§-fkS-^f a Rg ^-ft;#Sl302, ^JET ^ -feX 

v a >-ftc7)T^ -texSr^Jl-T hfcib<DT7°V *r— is 

a >^pa#gH304*flii.s. 3^.^ *^ 3 ^a^aaix 

T7"V7--^3> t §m^m. #S1t— 7*^t lt. r 

TS\ T7°V dr—is3>7°xiha)Vmzfe%s.%:ti*:T-7*L 
x TOSrfHWtoT H ux *IB«-f -& 3 ^ 3 
■f— 701*1306 Srfi^.TV"i|> „ 

[0011] At±i7l*ei301(4. x-^y^ -y M307* 

[0012] Bg^ft^Sl302Ji. ^ O-K1307-2OBI 
[0013] 3*?^ 3 y«ii#f5l303{4. ^>y^l307 
^ ^ 3 y^JIr— 7"/PA1305^»j&»fL7tT^ -fexnrtl^ 

[0014] rry ^--^3 ^«a#ai304«. rru 

WZfo h. I s — 9' n°7" >y h 1307^^-f o - H 1307-2fc* 
frixtz T 9 -te Xfijfflffl W>.fr yW£r- 7)V 

Bi306tcs frixrzT 9* x^mzsmmfrm^m-t 
T7'V9--i'3> < mmm&. ryv^-^ 

-iVtf^tf- Y-$hT7°V7--i/3 >7°u V ~=i)V<7)Wz 

imt&zttfX'Zz. 

[001 5] 
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sx/r 9 -t * frjiw mozk x-^m.m zm*>t:4y?- 

[00 16] 77'J 3~—>-a yy'uh^ivmza^^ 

ttm£L%wxi£%L>%\,\ sis. mm.nry'vir-i' 
gktLz. mtmmrffrfr^TL&5. irutf. w&l 

tzA bVPN^^IJffl-ri>|^(C. A hV 

7r4 7*7 ^-^Tte. hVPNteSSBKSii 
[0017] — £\ -f 1-VPN£, 
[0018] *-CLT\ #f|BJ3i±. MJIjI^Kjl-ft^H 

[00 19] 

ar-fbt, ajvvfedf.ji.y-r4 SrflK&Lfc-f MP 
[0020] 7 r -f TVx-JV&ffit&iLmmizmWiZ 

WfcffittSftS&SftSBKSBfc . mifE*iMfcI»ftti^£ 
*t*8Jft«SB&fc , HufB7 r 7 I 7*-;l4eJg^£;ft.& 

T — fWybtZfob *» t»^JfeSSEfl!i8Srf«ra LT 
fluf B&^«3^H5tf > MIE^^^tglfi L.miyrJT 
*7 * -;Mat*T3H8 Lfcr-^r -y b *1&IE&3R« 
«B»*»6WE4HRIHfc38MEt-*^ , «*-'y HEiH^Si: . flu 
iE&^^T'^fiLfcr-?y^-y flufEfglEti? 
«^ftiP$ iifcr - -y h T* & *»3rV JlSr 
U miieiSflWfg^Ja^tL^T-'-^/^-y hT'&ft 
if. SKBSEfll?8S:JR l 9life&» flffiE&KSa^*»£SK 

-?^-y-yh T% Wlif BtflB 77^77t 
[00 2 1 ] fiJgEKIEflW8fc:»JE'rsg2II^-ti}fB*SE 



tW&igSE^- iEtt¥84: . flufBI21iE3f-ffi#£. flyfE 

tt-tz. mzw-y bmm^mt. H?iEf2.ii d r-fE'ti 

[0022] BUlE/^ -y h^0^(t#f5(i, flulBx-^ 

m^-t^m^ztm-thtm^-mmt>^i^Ltz 

^/^•y ht*Wf. SSEBSEtirfflS:]iX l 3»<HiJI»#S 

[0023] nsmsvrj A h * -y h fluffi 
WW)? y A^—b^-y bv—yoi&x terns-? hizm 

-T?>. ^SScW^-f^-h^-y htc^riEi-^MIB 
^RSNKffl*aBR«^ * £ <b SrWfSfc-r&^^r - y h 7 4 

[0024] m&%$$(.CDy°7A h * -y h V— ? O^- 

« t^jss-r €. tmmm izttm^r -s isii^ - ie 
2r . mmm*-m&^mzi&rni-&mm*-®.m&& 

[0025] y^ y h coMiETtl/Zfe ->X^7~ y h 

ft*9Wt*^*-«y h7 ^l/^iim^T, mffBilfi 
7C*^y^ -y h Sr^ff-r^^tfO^ 1 . tufE 

j*'!rvbziiiJ3-rz>m2&£T/m3<7)m$mb. mum 
1 comwmx'gm Ltu -y ^ *>s> ^>*^ seftfeam 

7c*^3Mfi§it^/^-y h"C*4*«SrV^3t*IBfL, flu 

mh^frtfrmfrtzmm7€t)*t>coy*irv bX'$>ti&\ m 
mm 2 ffymimif ^ iMcr-*** y b & mm l , huib 

* t>fr tft&btimmTcfrbwi'ir -y b Wxfcf AulE 

•y brnwr^ttt-rz. mizm2&±vm3com 

mm* s / v h * § h icSft L . milBIg 2 «D£»ffl5T 
Sfi L^/ ^ >y h fc:*> 4> *» t*>5&tofc2Ht7cfll IS5-#Jn 
LTflulE^ 1 0»8EaJ*»<5> ^fgy >y h S-Jift U flulB 
SB 3 <7)SBS!WTSfs ^ . y h (i-fcoS tm 1 Ojg^ 

[0026] a- K^XTfltfiKi: Ltti. flufEiMfiTC^ 
4>/^ . y h ^Sft-r§ fc«>tf)SS 1 OJiMgPi: , flulBy 

>y b*iiij]-f2>m2&XTfm3<7)mwi&b. mm^o 
cpvb. mm 1 comwi&x'&m Law -y b e> 
*» t^y>^3Mft7c*> bmmzirti; -y b xh * 
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[ 0 0 2 7] 4fc. 3U&M£8NX£*l. 4»»§£4rLT 

i mm-v-; <^<o T7-txwm%T$>z>fr%:^fr$: pirn 
7-7 izttm^&im*-mmzmmi-z>mm^®t * 

COO 28] 7T'(TV*-Jl'&ffiz.&%LM.mizmWiZ 
it. 4k$m$:-ftLXcr>7°7 4 b*-v r-7-7 Srftfiic, 

SKUE«*»4>Se \,iirf—9t^ -y r- t#>5Etf> 
lfifE7 r^T 1 ?* — ;k&»&3SfIL.jfcT— b 

*mvkm&zw^$h^ v7°t , Btria^ii^^s 

ft Lfcif-'-^T-'y liTiEKaE^jWlnSflfcx 
-7V?7-y hT*^>*^v^S:fiJ»r-ri>7 l x-y7' , h. mf 
iefSliE'tf|g*^jD$tL^7 : -^^°7--y r-T'£>iX(*\ ^IK 
ISEEfflfgSrBX 0 1»« . MB&f^B^MT-^T- y h 
Hit^^f >y 7°£ . IWeBHDEflHB* t f«in**ufe7 f - 
^7 y hT-^r{tix(i'mffB7 r -f T*7 * -/^SKf— 

■f >y r^HiMSIfc X 0 Hif-r & fcidorn 
tt. SEttJfil&ttfciEtt LT£s < i fc #T'# S . 
teJ: 0. vPN^fl|^;-r^^f» B ^T-^y^-y Mi, 
-fe^f a 'J -r -r j&HRE-e* 5 . ^7h7< A^iS 

F«J & UWW-9"-y Wo T 7 -b 7. a: fN"*^ . ifitcS. 
Utffl*» 4>4^RW±^)hHW^-v N'Sr T 7 -fe7s-f 4 |gt^ VPN 

[00 2 9] 3r&. 4^&Pfc^7--y h7 *;U*JSittf>ig 

M^z-^mmmmx-nisx'* ht^o m&i> h 
4. 

[0030] 

[oo3i)ii{t *%w<n-mm<7)Tmx'b&isx 



fiKT-tt, filft*BA101-l, |iSiMB101-22SW^S«HC101-3 

[0032] &*«fc<2 % «MA&imBtMB C7)VPN^ 
»jft»-a:*3t«>, tvrt h7^;U^^aAl02-l$-^tt s 

|S)«tC. ^°7--y h7>f;U^SB102-2^fS^-&. ^ISffl 
[0033] *ilglBAhyN°7 -y h 7 -f )V?mmt COWlM 

(c(4. — j£B«. ^-y-yby ^ju^m 

SAi: F^gp/l — ^A105-li; £lIjiH£«3-£*II*SI£»107 
-lTfcO. 7r^T , 7^-;PA106-l2:g 
* 7 r -f T7 * -;14£K1 

08-1T**. 5fJH«A104-l«, rtlB/l— ^A^SaiSfL 
S . ^iftJBBt/N'7- y h 7 4 «OS&S0H£t, . 

fijaHAfc^^-y h7 4fr?mm/wm%ibmmx'$>h. 

[0034] mmca. >*7- y b 7 ;W7^a*>'#ft 
Lfcvvfctf). yrjT>y*—]l'C106-3$:ifrLX4kmmt 

miztiz. ftawscji, yT4TT7*-)va,zmwt%ti 
[ o o s 5 ] a Jt, ^7- «y h 7 ^^igau-jSDH 109 

(i. ys*7-y h7^;P7^iSSg^rt^-&ftmiST'S>-l»„ 
[0036]ttMl T'{2iSM^Kl07, 7r^7^ 

L^^'. ATM (Asynchronous Transfer Mode) oiZ 

-*c7y\mw%mmm<D±izmm $ tut mm w^mmm 

ZMmb^tXtJ:^. 

[00 37] m 2 (4. yN°7--y h7 -f ;U*§§B102<Orta& 
»lK**Lrv^. y\°7-y h7 ^;L-7^a{4, ^£ffiffll 
tClSS$tL, aiSIB*^iMfI§tll.T ; '-7^ 0 7--y bfcSS 

r- Sr 7 r -f T *7 * -MzM 0 #f7£ 0 , ftllD $ ixfcfSSE 

[ 0 0 3 8 ] y -y h 7 ;U7^S(4. ^7 y hteiM^ 
S20K ^'7->y hiiOWW5202. IME^f-IS«^S20 
3&lX|gBE^r-IS^S204 Srflti 4 . 4 , A^ 7 h7 

[0039) ^7 bmM^mont. mmmo7frt> 
mmzmnLx&mmmizmmL. ttz. yr^r^ 

[0040) ^77 hiiD#{7¥&202J4. ^Rffll03j&> 
^>^llL^x-7^-7-y hfc^fLT. 7— 9 Wry b<r> 
#Sf5Micfe4. fl!2<7)yN°7-y b7 4A^$S{BT*fl-in$*i 
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mWM % tlX V > h r - 9> 1* >y h (CM L T JilSJItif IS 
Htf&T—i"^ >y hTJbft k LTit^?8107(c3Mft 
SEflftUT'firVVr- ;yv^ y Mctt LT li 7 r 4 T-7 *- 
[004 1 ] f2fE*-IB1t^f£203li, ISIEflnR^Jft 

[0042] f2.E*-i£5£¥&204ti, 12.11^-*^°^ 

[0043] ^SfiOJBSrCtt, &ISfflA£.V'&f»fi 
VPNSrWfiM- I2£E*-I£5£¥&t «k 9 , '^y 
h 7 4 ^^KAKE-l&im^r -y h 7 -r ^^5IBB102-2 
OBSE^ -f B1S¥S203 tc(i^il«0lSaE^f -A«i6Sl $ ft 
T^&„ VPN^j&^&f^ltctgl^ft 

31«0f SaE^r - * t£5£ L t < . 

[0044] Ol't, y^-y h$63il¥f.2201fcO^Tf¥ 
•ItcKW-*. 0311, '^y hfcil^K201<7)p*lte 

201li, S£S£¥'J5£¥J£301, !2iEflWgffJS#a3022Sltm 
fEflWW£&n#gt303£fl|;t S . 
[0045] «BJpJj£#a301{i» tt»S^SI1073&^^ft 

108*»4>SfS VtZr—W* *» b^SrSfl LfcaK— h 
J: Of'I^U iDSgR*>i!)«fil,!tf-^^v Mi, 
igiE1ff$8^#S3022Stt>'f2liE«$g#iD#a303Sr^i$ 

ftLfcx-^^y Mi, -eo*4^3R«Htcai«^-4. 
[0046] Bffi««flstf^Bt302tt. SK^JJi^gBOl 
*»&3f«-lXo7fc7 f -*;'«*-y bk, BE^-Elt^BBO 
3fc:IEtt£ftT v^BHBE^f— k ^&iSSEtiW8£#l£-*- 
!>„ *HSt^ffi-t'{±, Hf^^iSEfcft^ftTV^Vy 

[0047] fMEtitfStf jD#f3303ii, 12JiEffi $i?#J&¥ 
K302fc:,fc O^^ix^fSBEffifg^T-*-^/^ -y h<7)& 

[0048]iW:, HBfcjjstfV^ -y h« 94Ht¥8202 

*>y M8 9#ff¥8202Ji, '^y MSft^gMOl, 1211 
ffi fg^^#K402aVI2fiEWfli^ l JI^1itg4032:fii. S . 
[0049] h*PM#K40Ui, &SRSHl03j& s 4>g 

ft l t - ^ -y h iztf l x ttj&m iztrnffimtm 

Mi, i2iEtil««aE#a4022SllXi2aEffi 
f8H'JI*¥a4Q3S:JSi § -ltTiS&gg&107iCj3H3 L , KEE 
flWfcPfllinSftTv^vv nS^ii, jEU*BSEflWRT"& 



Mi, 7T4T^*-)vmm&zmt 
[0050] tmmm®&^mo2\±. mmmttsEL 

a»^WK^ftx-*A^--y hk, lgM^-ie'lt¥f520 
3tE«$ftT v *4BE*- k 4>*rfc IcB&Eflt 18 £ # 
j£ U r - * ' v h CftJn £ ftT \^ S fSSEtiffg k — » 

ffik^JSL, -StL$r^*S\ jELv^f2JIffi?gT'=5rV>k 

[0051] immmmwmMo?,^ mt^mmmm 

[0052] fgJjEfiffSfi, l5titf-^^77 h<?0 

5fcT HU-X501, 3Mfl7cT h" U-X502&tX^- h ##503 
^IS3*$ft^^-y ^'1307-1 k , f — fmSMZtltz^ 
n-K 1307-2 t*»4>»|RS*Lft. ^HtO»JIIT«. IS 
tiEffifSS:, W^tfS^Iff 7°a h n ^Internet Protoco 
1 Version6 (IPv6) T'^^ilT V>^,7^-V<y hlZft 
-oT, f-^vhfcMIAti. IPv6T'{i, ^y^"13 
07-1 k *M n— h' 1307-2 k OHUff SoftHPr — ^ 504 

mzffxx'£&£ oMfeztix&r), ztizmmvxm. 
imm.m<r>%m^ >y ^sost ^Kigmt «bo6«: jf a-t * 

[0053]St, EI6*J J:^W*#HSLr*HSfi^ 

4. ZZXIZ, H 1 (C*-rfilSIBA101-lF«3<73ttSL«A104 
-1*«, VPN*»jSr*SJ^B101-2rt^ftJW»Bl()4-2fc: 

iifi^ffa^co^jiiitov^TmBj-r^. H6tc, mm 
{ij^n^^ l, 0 7 iz&mmvmm&frr?. 
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[Title of the Invention] Packet Filter, Authentication 
Server, Packet Filtering Method and Storage Medium 

[Abstract ] 

[Task] To provide a high-speed packet filter which 
prevents an unauthorized third party from intruding into an 
internet VPN. 

[Solution] The system is provided with a direct route directly 
connecting with a packet filter and a private network and 
with a firewall route via a firewall. A packet filter 
transmits a data packet, which has been received from the 
private network and has been added with predetermined 
authentication information, to a public network, and 
transmits a data packet received from the firewall -to the 
public network. The packet filter determines whether or not 
the data packet received from the public network is a data 
packet to which the authentication information is added. If 
the authentication information is added to the data packet, 
the authentication information is removed and the data packet 
is transmitted to the private network. If the authentication 
information is not added to the data packet, the data packet 
is transmitted to the firewall. 

[Scope of Claims for Patent] 

[Claim 1] A packet filter connected to a private network and 
equipped with a firewall to establish a virtual private 
network via a public network comprised of 

a public connection part connected to the public network, 
a private connection part connected to the private network, 
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a firewall connection part connected to the firewall, 
a packet transfer means to transmit a data packet, received 
in the private connection part to which predetermined 
authentication information has been added, from the public 
connection part to the public network, and to transmit a 
packet received in the firewall connection part from the 
public connection part to the public network, and, 
a packet distribution means to check the data packet received 
in the public connection part for the authentication 
information added thereto, and to transmit the data packet 
from the private connection part after the authentication 
information has been removed if the authentication 
information is added, and to transmit the data packet from 
the firewall connection part if the authentication 
information is not added. 

[Claim 2] A packet filter according to Claim 1, further 
comprising; 

an authentication information key storage means to store 
authentication information key corresponding to the 
authentication information, and 

an authentication information setting means to set the 
authentication information in the authentication key storage 
means . 

[Claim 3] A packet filter according to Claim 2, wherein said 
packet transfer means is provided with; 

a generation means to generate the authentication information 
based on the authentication information key stored in the 
authentication key storage means, and, 

an addition means to add the authentication information which 
has been generated by the generation means to a predetermined 
area of the data packet* 

[Claim 4] A packet filter according to Claim 2, wherein said 
packet distribution means is provided with; 

a check means to extract the authentication information from 
the data packet so as to check whether or not the 
authentication information is identical to the authentication 
information generated based on the authentication key 
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information stored in the authentication information key 
storage means and 

a deletion means to delete the authentication information if 
the authentication information added to the data packet is 
identical . 

[Claim 5] A packet filter according to Claim 1, wherein a 
plurality of the private connection parts corresponding to a 
plurality of private networks is provided, in which said 
packet transfer means adds authentication information 
corresponding to of a plurality of the private networks, and 
the packet distribution means determines the private 
connection part corresponding to the authentication 
information based on the authentication information 
corresponding to each of a plurality of private networks and 
transmits the data packet from the corresponding private 
connection part. 

[Claim 6] A packet filter according to Claim 5, wherein a 
plurality of the public connection parts corresponding to a 
plurality of private networks is provided. 

[Claim 7] A packet filter according to any one of Claim 5 or 
6, further comprising; 

an authentication key storage means to store each 
authentication key information corresponding to each of a 
plurality of private networks, and 
an authentication key setting means to set each 
authentication key information in the authentication key 
storage means. 

[Claim 8] A packet filter distributing a packet according to 
the packet source comprising; 

a first connection part to receive a packet from the source, 
a second and a third connection parts to output the packet, 
and 

a packet distribution means in which the packet received in 
the first connection part is determined as to whether or not 
it was transmitted from a predetermined source, and if the 
packet is from the predetermined source, the packet is 
transmitted from the second connection part, and if the 
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packet is not from the predetermined source, the packet is 

transmitted from the third connection part. 

[Claim 9] A packet filter according to Claim 8, further 

comprising; 

a packet transfer means in which the second and the third 
connection part further receive a packet, and the packet 
received in the second connection part is transmitted from 
the first connection part after a predetermined source 
information is added thereto, and the packet received in the 
third connection part is directly transmitted from the first 
connection part. 

[Claim 10 ]A packet filter distributing a packet according to 
the packet source comprising; 

a first connection part to receive a packet from the source, 
a second and a third connection parts to output the packet, 
a CPU for a process, 

a memory to store a program in which the packet received in 
the first connection part is determined as to whether or not 
it was transmitted from a predetermined source, and if the 
packet is from the predetermined source, the packet is 
transmitted from the second connection part, and if the 
packet is not from the predetermined source, the packet is 
transmitted from the third connection part. 

[Claim ll]An authentication server to transmit authentication 
key information to a packet filter connected to a private 
network and establishing a virtual private network via a 
public network, for packet distribution in the packet filter, 
comprising ; 

a determination means to determine whether or not an access 
from the packet filter to the authentication server is legal, 
and 

a transmission means to transmit authentication key 
information corresponding to the private network to the 
packet filter determined to be legal by the determination 
means . 

[Claim 12 ]A packet filtering method for establishing a 
virtual private network via a public network and connected to 



4 



a private network equipped with a firewall comprising; 
a step of adding predetermined authentication information to 
a data packet received from the private network for 
transmitting it to the public network, 

a step of transmitting a data packet received from the 
firewall to the public network, 

a step of determination whether or not the authentication 
information was added to a data packet received from the 
public network, 

a step of removing the authentication information for 
transmitting the data packet to the private network if the 
authentication information is added, and, 

a step of transmitting the data packet to the firewall if the 
authentication information is not added. 

[Claim 13] A storage medium storing a program to realize steps 
described in Claim 12 by an information processor. 
[Detailed Description of the Invention] 
[0001] 

[Field of the Invention] The present invention relates to a 
technology to filter a data packet while connecting with 
networks, in particular, to provide a method and a device for 
filtering packets with high security at high speed and 
cooperating with a firewall having a function for checking 
each application . 
[0002] 

[Prior Art] Recently, an Internet VPN (virtual Private 
Network) in which private networks are connected with a 
public network to thereby realize a wide-area private network 
has been established actively. When the private network is 
connected to the public network, eavesdropping or an 
unauthorized access can be done in the public network, and 
this is a significant problem from a security aspect. 
[0003] Toward such problems, each user can reduce the risk 
to security to as little as possible by installing an 
encryption means or a firewall having an access control 
means. A firewall with the encryption means has already been 
launched on the market by manufacturers. For example, an 
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Internet VPN is introduced in Nikkei Communications , No, 227, 
pages 86 to 100, June 17, 1996. 

[0004] The Internet VPN will be discussed with reference 
to Fig. 12. 

[0005] In Fig. 12, a private network A101-1 and a private 
network B101-2 are connected to a public network 103 via a 
firewall A106-1 and a firewall B106-2 which are installed in 
each private network respectively. The firewalls A106-1 and 
B106-2 are gateway devices with an encryption means to 
prevent an unauthorized access. 

[0006] For example, a computer A104-1 communicates, with a 

computer B104-2, with the following procedures. 

[0007] A computer A transmits a data packet to a computer 

B. The transmitted packet has predetermined source address 

and port number described in its header. The packet is 

encrypted in a firewall A to be transmitted to the public 

network. 

[000 8] The encrypted data packet is transmitted to a 
firewall B via the public network. 

[0009] in the firewall B, the data packet is decrypted. 
The source address and the port number contained in the 
packet header are checked for an access authority. If the 
computer is determined to be accessible, the data packet is 
transmitted to the computer B. If the firewall determines 
that the access is an unauthorized access, the data packet is 
not transmitted to the computer B. 

[0010] An internal structure of a firewall 106 will be 
described with reference to Fig. 13. Fig. 13 shows an 
internal construction of the firewall 106. In Fig. 13, the 
firewall 106 is comprised of an input/output means 1301 which 
is connected to a network, encryption means 1302 for 
encryption and decryption, a connection management means 1303 
to prevent an unauthorized access, and an application 
management means 1304 to manage an access for each 
application. The connection management means and the 
application management means are provided with a connection 
management table A1305 which stores a source address of 
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sending computer and a port number which are accessible, as a 
reference table, and a connection management table B1306 
which stores an address of an accessible computer which is 
defined for each application protocol. 

[0011] The input /output means 1301 inputs a data packet 
1307 in the firewall from the network, and outputs it to the 
network . 

[0012] The encryption means 13 02 encrypts and decrypts a 
payload 1307-2. 

[0013] The connection management means 1303-1 determines 
whether or not the computer is listed in the connection 
management table A1305 as an accessible computer according to 
the port number and the source address in the header 1307-1. 
[0014] The application management means 1304 determines if 
the computer is accessible based on access control 
information defined for each application protocol. The 
access control information in the payload 1307-2 of the data 
packet 1307 is used to determine whether or not the computer 
is listed in the connection management table B1306 as an 
accessible computer. The application management means has a 
different specification for each application and can be 
equipped as many times as the number of application protocols 
supported by the firewall. 
[0015] 

[Problems to be Solved by the Invention] It is possible, with 
the above discussed prior art, to establish an Internet VPN 
using the public network, due to encryption of the data 
packet and the access control by the firewall. However, 
there are problems, as discussed below, with this firewall. 
[0016] Using the method for management of connections for 
each application protocol, high security can be ensured, 
while a different response is required for each application 
protocol. Normally, plural application use the network and 
the firewall must respond to all of them, and that makes the 
process complicated. As a result, the process requires much 
time. For example, in case of use of the above discussed 
Internet VPN, if the communication is executed with a 
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computer which is not connected to the Internet VPN, the 
firewall checks for the access authority for all the 
application discussed above regardless whether or not the 
computer is connected to the Internet VPN, and this process 
requires much time. 

[0017] On the other hand, Internet VPN is desired to be 
provided as a service on the public network side. In this 
case, the new service can be preferably provided using the 
existing equipment . 

[0018] Accordingly, the present invention is aimed to 
provide a packet filter, authentication server, packet 
filtering method and storage medium in which the processing 
speed can be increased and high security can be ensured. 
[0019] 

[Means to Solve the Problems] The present invention adopts 
the following means to provide high-speed processing and an 
Internet VPN in which high security is ensured. 
[0020] A packet filter connected to a private network 
including a firewall to establish a virtual private network 
via a public network comprised of; 

a public connection part directly connected to the public 
network, 

a private connection part directly connected to the private 
network, 

a firewall connection part connected to the firewall, 
a packet transmission means to transmit a data packet which 
has been received from the private network and has been added 
predetermined authentication information thereto from the 
public connection part to the public network, and to transmit 
the data packet which is received in the firewall connection 
part from the public connection part to the public network 
and, 

a packet distribution means which determines whether or not 
the authentication information is added to the data packet, 
and if the authentication information is added thereto, the 
authentication information is removed and the data packet is 
transmitted from the private connection part, and if the 
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authentication information is not added, the packet is 
transmitted from the firewall connection part. 
[0021] The packet filter is further comprised of; 
an authentication key storage means to store authentication 
key information corresponding to the authentication 
information, and an authentication key setting means to set 
the authentication key information in the authentication key 
storage means. The packet transmission means is comprised of 
a generation means to generate the authentication information 
from the authentication key information stored in the 
authentication key storage means, and an addition means to 
add the authentication information generated by the 
generation means to a predetermined area of the data packet. 
[0022] The packet distribution means is comprised of a 
check means to check whether or not the authentication 
information is identical to the authentication information 
which is generated from the authentication key information 
stored in the authentication key storage means, and a 
deletion means to delete the authentication information if 
the identical authentication information is added to the data 
packet by the check means. 

[0023] A plurality of the private connection parts 
corresponding to a plurality of the private network are 
provided. The packet transmission means adds the 
authentication information corresponding to each of a 
plurality of private networks. The packet distribution means 
determines the private connection part corresponding to the 
authentication information according to the authentication 
information corresponding to each of a plurality of private 
networks and transmits the data packet from the corresponding 
private connection part. The packet filter comprises a 
plurality of public connection parts corresponding to a 
plurality of private networks. 

[0024] The system can be provided with the authentication 
key storage means to store each authentication key 
information corresponding to the authentication information 
corresponding to each of a plurality of the private network 
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and authentication key setting means to set each 
authentication key information in the authentication key 
information storage means. 

[0025] A packet filter which distributes a packet 
according to the source of the packet comprises a first 
connection part to receive a packet from the source, second 
and third connection parts to output the packet, and, a 
packet distribution means in which the packet received in the 
first connection part is determined whether or not it is sent 
from a predetermined source, and if the packet is sent from 
the predetermined source, it is transmitted from the second 
connection part, and if not, it is transmitted from the third 
connection part. The second and third connection part 
receive a packet, add predetermined source information to the 
packet received in the second connection part and transmit it 
from the first connection part and straightforwardly transmit 
the packet received in the third connection part from the 
first connection part. 

[0026] In the hardware construction, the system is 
provided with a first connection part to receive a packet 
from the source, second and third connection part to output 
the packet, a CPU for a process, a memory to store a program 
to determine whether or not the packet received in the first 
connection part is transmitted from a predetermined source, 
to transmit it from the second connection part if the packet 
is transmitted from the predetermined source and to transmit 
it from the third connection part if the packet is 
transmitted from the predetermined source. 

[0027] There is provided an authentication server which 
transmits authentication key information to a packet filter 
connected to a private network establishing a virtual private 
network via a public network, for a packet distribution in 
the packet filter, comprises a determination means to 
determine whether or not an access from the packet filter to 
the authentication server is legal, and a transmission means 
to transmit authentication key information corresponding to 
the private network to the packet filter which is determined 
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to be legal by the determination means. 

[0028] A packet filtering method to establish a virtual 
private network via a public network, connected to a private 
network containing a firewall is comprised of; 
a step of adding a predetermined authentication information 
to a data packet received from the private network for 
transmitting it to the public network, 

a step of transmitting a data packet received from the 
firewall to the public network, 

a step of determining whether or not the authentication 
information is added to a data packet received from the 
public network, 

a step of removing the authentication information for 
transmitting the data packet to the private network if the 
authentication information is added and, 

a step of transmitting the data packet to the firewall if the 
authentication information is not added. A program to 
realize these steps using an information processor can be 
stored in a storage medium. According to the above 
operations, security of the data packet between the private 
networks comprising a VPN can be ensured. Moreover, the 
authentication information added by the packet filter is 
constant regardless of an application protocol, so that a 
high-speed access control can be carried out by a hardware. 
Furthermore, an access to an information processor other than 
the VPN, such as an access to a WWW server in the private 
network or an access to a WWW server in the public network 
from the private network, can be carried out via the 
firewall, thus resulting in realizing precise security 
although the speed is lower than via a private connection 
part . 

[0029] Because the public network and the packet filter 
are connected by one line, the system can be realized with 
one line license, not with an exclusive line and a public 
line separately. 
[0030] 

[Embodiment] Embodiments of the present invention will be 
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discussed below in detail with reference to drawings. 
[0031] Fig. 1 shows a system structure of an embodiment of 
the present invention. In Fig. 1, there are a private 
network A101-1, a private network B101-2 and a private 
network C101-3 in this system structure. The private 
networks A and B are a pair of the private networks 
establishing a VPN via a public network 103. The private 
network C does not establish a VPN with another private 
network via the public network 103. 

[0032] The public network is provided with a packet filter 
A102-1 which is connected to the private network A to 
establish a VPN between the private networks A and B. 
Likewise, a packet filter B102-2 is provided at a connection 
point where the private network B is connected to the public 
network. The private network C does not require a packet 
filter because it does not establish a VPN with another 
network. 

[0 033] Two routes are provided between the private network 
A and a packet filter A. One is a direct route 107-1 which 
directly connects the packet filter A and an internal router 
A105-1, and the other is a firewall route A108-1 which 
connects the internal router A via a firewall A106-1. A 
computer A104-1 is connected to the internal router A. A 
method for connection between the private network B and the 
packet filter B is the same as that of the private network A 
and the packet filter A. 

[0034] The private network C is connected to the public 
network via a firewall C106-3 because there is no packet 
filter contained. A computer C is connected to the firewall 
C 

[0035] A packet filter computer 109 is a computer having a 
packet filtering function. 

[0036] In Fig. 1, the direct route 107 and the firewall 
route 108 are explained as physical connection lines, 
however, these can be considered as logical communication 
lines realized in one physical line such as in an ATM 
(Asynchronous Transfer Mode). 
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[0037] Fig. 2 shows an internal structure of the packet 
filter 102. The packet filter is provided on the public 
network side and is a device to add authentication 
information to a data packet transmitted from the private 
network, or to distribute the data packet received from the 
public network to the firewall, or to check the added 
authentication information . 

[0038] The packet filter is equipped with a packet 
transfer means 201, a packet distribution means 202, 
authentication key storage means 203 and an authentication 
key setting means 204. The packet filter has three 
input/output lines, the direct route 107, the firewall route 
10 8 and the public network 103. 

[0039] The packet transfer means 201 adds authentication 
information to a data packet from the computer via the direct 
route 107 and transmits the data packet to the public network 
103. The packet transfer means just transmits the data 
packet from the computer via the firewall route 108 to the 
public network. 

[0040] The packet distribution means 202 determines, for a 
data packet received from the public network 103, whether or 
not authentication information which is in a predetermined 
area and is added in another packet filter has been added. A 
data packet with the authentication information is checked 
for the authentication information. If correct 
authentication information is added, the packet is considered 
as a data packet in the VPN and is transmitted to the direct 
route 107. If incorrect authentication information or no 
authentication information is added, the packet is 
transmitted to the firewall route 108. 

[0041] The authentication key storage means 203 is a 
memory which stores an authentication key to generate 
authentication information or to refer for checking. 
[0042] The authentication key setting means 204 is a user 
interface for setting the authentication key in the 
authentication key storage means 203 in the packet filter. 
[00 43] In this embodiment, in order for the private 
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networks A and B to establish that the VPN, a common 
authentication key is set in the authentication key storage 
means 203 of the packet filters A102-1 and B102-2. As 
described above, a common authentication key is set in the 
authentication key storage means 203 of the packet filter 
connected to the private network establishing the VPN . 
[0044] The packet transfer means 201 will be discussed in 
detail. Fig. 3 shows a detailed structure of the packet 
transfer means 201. In Fig. 3, the packet transfer means 201 
has a route determination means 301, an authentication 
information generation means 302, and an authentication 
information addition means 303. 

[0045] The route determination means 301 determines 
whether the packet is received from the direct route 107 or 
from the firewall route 108 based on a receiving port. The 
packet received from the direct route is transmitted to the 
public network 103 via the authentication information 
generation means 302 and the authentication information 
addition means 303. The packet received from the firewall 
route is transmitted directly to the public network. 
[0046] The authentication information generation means 302 
generates authentication information based on the data packet 
received from the route determination means 301 and the 
authentication key stored in the authentication key storage 
means 203. In this embodiment, a hash function which is 
already known in code is used for generating the 
authentication information . 

[0047] The authentication information addition means 303 
adds the authentication information generated by the 
authentication information generation means 302 to a 
previously specified area in the data packet. 
[0048] Next, the packet distribution means 202 shown in 
Fig. 2 will be described in detail. Fig. 4 shows a detailed 
structure of the packet distribution means 202. In Fig. 4, 
the packet distribution means 202 is equipped with a packet 
determination means 401, an authentication information check 
means 402, and an authentication information deletion 
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function 403. 

[0049] the packet determination means 401 determines, for 
the data packet received from the public network 103 , whether 
or not the authentication information is added to the 
specified area. A data packet to which authentication 
information is added is transmitted to the direct route 107 
via the authentication information check means 402 and the 
authentication information deletion function 403. A data 
packet to which no authentication information or incorrect 
authentication information is added is transmitted to the 
firewall route 108. 

[0050] The authentication information check means 402 
determines whether or not the authentication information is 
correct. In this step, new authentication information is 
generated from a data packet received from the packet 
determination means 401 and the authentication key stored in 
the authentication key storage means 203, and is compared 
with authentication information added to the data packet 
whether or not they are identical. If they are identical, 
the authentication information is determined to be correct, 
and if they are not identical, it is determined to be 
incorrect . 

[0051] The authentication information deletion means 403 
deletes the authentication information inserted in the data 
packet which is determined to be correct. 

[0052] The authentication information is inserted to a 
predetermined area of the data packet shown in Fig. 5. Fig. 
5 shows a format of a data packet. The data packet is 
comprised of a destination address 501, a source address 502 
and a header 1307-1 in which a port number is described and a 
payload in which a data is described. In this embodiment, 
the authentication information is inserted into a data 
packet, for example, according to the format which is defined 
for a standard communication protocol Internet Protocol 
Version 6 (IPv6). In IPv6, an arbitrary control data 504 can 
be inserted with a control header which discriminates a size 
and a kind of the control data between the header 1307-1 and 



15 



the payload 1307-2. The authentication information 506 is 
inserted with the control header 505 for the authentication 
information using the above, thus the presence of the 
authentication information can be determined. 

[0053] Next, a processing operation of the embodiment will 
be discussed with reference to Fig. 6 and Fig. 7. Figs. 6 
and 7 show a processing sequence in the structure of the 
embodiment. A process in which the computer A104-1 in the 
private network A101-1 shown in Fig. 1 accesses the computer 
B104-2 of the private network B101-2 establishing the VPN is 
described. Fig. 6 shows a process on the sender's side, and 
Fig. 7 shows a process on the receiving side. 
[0054] (1) The computer A101-1 transmits a data packet 

whose destination address is the computer B104-2 in the 
private network B101-2 (step 2000 in Fig. 6). 
[0055] (2) The internal router A105-1 checks the 

destination address described in the header of the data 
packet. If the destination address is a private network 
establishing a VPN with the private network A101-1, the data 
packet is transmitted to the packet filter A102-1 via the 
direct route (step 2001). If the destination address is for 
other network, the data packet is transmitted to the firewall 
where a security check is carried out, and is transmitted to 
the packet filter A via the firewall route (step 2002). 
[0056] (3) The packet filter A adds authentication 

information, using the authentication information generation 
means 302 and the authentication information addition means 
303 shown in Fig. 3, to the data packet received from the 
direct route and transmited to the public network 103 (step 

2003) . The data packet received from the firewall route is 
straightforwardly transmitted to the public network (step 

2004) . 

[0057] (4) The packet filter B102-2 receives the data 

packet from the public network (step 2005 in Fig. 7). 
[0058] (5) The packet filter B102-2 determines whether or 
not the authentication information is added to the data 
packet using a packet determination means 401. If the 
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authentication information is added, the authentication 
information is checked for whether or not the authentication 
information is correct using the authentication information 
check means 402, and the authentication information is 
deleted using the authentication information deletion means 
403 (step 2006). If the authentication information is 
correct, the data packet is transmitted to the internal 
router B105-2 via the direct route (step 2007). If the 
authentication is not added or is not correct, the data 
packet is transmitted to the firewall B106-2 via the firewall 
route (step 2008 ) . 

[0059] (6) The firewall B106-2 carries out a precise 
security check for the data packet transmitted via the 
firewall route, and transmits the data packet to the internal 
router B105-2 (step 2009). 

[0060] (7) The computer B104-2 receives the data packet 
from the internal router B (step 2010). 

[0061] In the embodiment shown in Figs. 1 to 7 described 
above, a case is described in which the private networks are 
connected to the public network. When a mobile terminal is 
directly connected to the public network, the embodiment can 
be realized by providing a function equivalent for the packet 
filter as software and hardware, that is, the above function 
can be realized by software. 

[0062] Fig. 14 shows a hardware structure of the packet 
filter. In Fig. 14, the packet filter is comprised of a 
public network connection part 1450 connected to the public 
network, the private network connection part 1410 directly 
connected to the private network, a firewall connection part 
1420 connected to the firewall, a CPU 1430 for processing, a 
memory 14 4 0 storing a program in which it is determined 
whether or not a packet received in the public network 
connection part 1450 was transmitted from a predetermined 
source . 

[0063] According to this embodiment, the VPN service can 
be provided on the network side by the packet filter. 
Moreover, a real-time file transfer can be realized with 
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ensured security in a communication between the private 
networks structuring the VPN . Security of a communication 
other than the VPN can be precisely ensured with the 
firewall . 

[0064] Next, a second embodiment will be explained. 
[0065] In the first embodiment, the system is concerned 
with which private network belongs to one VPN group. 
However, one private network can belong to a plurality of VPN 
groups. For example, a first group can consist of the 
private network A and the private network B shown in Fig. 1, 
and another second group can consist of the private network A 
and the private network C. In this case, a data packet can 
be discriminated the group by having a different key for each 
group. In the second embodiment, each authentication can be 
carried out in the same structure as the first embodiment, 
with an authentication key for each VPN group. 

[0066] An authentication key in the second embodiment will 
be explained with reference to Fig. 8. Fig. 8 is an 
explanatory view showing a method for managing a plurality of 
keys, not storing only one authentication key as the 
authentication key storage means 2 03. In this embodiment, an 
address group of a private network belonging to the VPN and 
the authentication key are stored as a pair. The number of 
the pairs is identical to the number of the VPN to which the 
private network belongs. 

[0067] In the authentication information generation means 
302, a authentication key corresponding to the VPN group is 
looked up based on a destination address described in the 
header 1307-1 in the authentication information generation 
means 302, or based on a source address described in the 
header 1307-1. 

[0068] According to this embodiment, discrimination of 
which VPN group the data packet belongs to, by using a 
different authentication key, becomes possible. 
[0069] Next, a third embodiment will be discussed. In the 
third embodiment, the direct route 107 to which a private 
network 101 and a packet filter 102 are connected for each 
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VPN group is determined, and this will be explained with 
reference to Fig. 9. 

[00 70] Fig. 9 is an explanatory view showing a management 
means for an authentication key corresponding to a plurality 
of VPN groups. 

[0071] In Fig. 9, the authentication key storage means 203 
stores an authentication key corresponding to the number of 
the direct route. The internal 105 transmits a data packet 
to the direct route corresponding to the group. The 
authentication information generation means 302 looks-up an 
authentication key according to a port number of the direct 
route from which the data packet is transmitted using 
information of authentication key storage means 203. The 
authentication information check means 402 checks the 
authentication information in parallel or in the order of the 
authentication keys corresponding to each direct route using 
information of the authentication key storage means, to find 
identical information. The packet determination means 401 
requires the corresponding direct route and distributes the 
data packet. 

[0072] According to this embodiment, the direct route 107 
and the authentication key correspond one-on-one. Therefore, 
the packet transfer means 201 can look up the authentication 
key at high speed. 

[0073] A fourth embodiment will be explained. In the 
fourth embodiment, a case in which the authentication key 
stored in the authentication key storage means 203 is set at 
the beginning of communication is explained. Fig. 10 is a 
structuring view in the case of setting the authentication 
key stored in the authentication key storage means 203 at the 
beginning of the communication. In this embodiment, the 
authentication server 1001 is provided on the public network 
103. The authentication server 1001 is equipped with a 
storage means 1010 storing the authentication key belonging 
to all the packet filters 102 connected to the public network 
103, a packet filter authentication means 1011 to 
authenticate the packet filter 102, and an authentication key 
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transmission means 1012 to transmit the authentication key to 
the packet filter 102. 

[0074] The authentication key setting means 204-1 of the 
packet filter A102-1 carries out the following steps with the 
authentication server 1001 to set the authentication key. 
[0075] (1) The public network 103 is connected to the 

authentication server 1001 at the beginning of the first 
communication. The authentication key setting means 204-1 of 
the packet filter A102-1 has previously accepted a password. 
[0076] (2) The packet filter authentication means 1011 
authenticates the packet filter A102-1 by exchanging the 
predetermined password . 

[0077] (3) The authentication key transmission means 1012 

takes the authentication key from the storage means 1010 and 
transmits it to the packet filter A102-1. 

[0078] (4) The authentication key is received and is set 

in the authentication key storage means 203-1. 

[0079] The packet filter B102-2 can carry out the same 

process and can set the authentication key. 

[0080] According to this embodiment, the management of 

authentication keys can be unified. Thus, changing of the 

authentication key can be carried out at only one place of 

the authentication server 1001. 

[0081] A fifth embodiment will be described. In the third 
embodiment, the public network 103 and the packet filter 102 
are connected with one route. However, in this embodiment, 
as shown in Fig. 11, the public network and the packet filter 
are connected with routes corresponding one-on-one to a 
plurality of direct routes 107 and one firewall route. 
Namely, the direct route 107 and the public network are 
provided for each VPN. 

[0082] The packet transfer means 201 adds authentication 
information corresponding to the direct route to the data 
packet received via the direct route and transmits it to a 
route corresponding to the direct route on the private 
network side. A data packet received via the firewall route 
is directly transmitted to the route on the public network 
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side corresponding to the firewall route on the private 
network side. 

[0083] The packet distribution means 202 checks the data 
packet received from the public network. A data packet to 
which correct authentication information is added is 
transmitted to the corresponding direct route after the 
authentication information is removed. A data packet to 
which incorrect authentication information is added is 
transmitted to the firewall route. 

[0084] According to this embodiment, the packet 
distribution means 202 can easily discriminate the VPN group 
according to the route. Therefore, the packet distribution 
means can be high-speed. 

[0085] According to the above embodiment, the 
authentication information added by the packet filter is 
constant regardless of an application protocol, and is 
realized by a hardware, and a high-speed Internet VPN can be 
realized. Moreover, access to an information processor 
outside of the VPN, such as access to a WWW server in the 
private network or an access to a WWW server on the WWW 
server from the private network, on the contrary, can be 
carried out via a firewall and, thus, precise security can be 
ensured, although the speed is less than that of the direct 
route . 
[0086] 

[Effect of the Invention] According to the present invention, 
in a communication between private network structuring as a 
VPN, a secure and real-time data transfer is available. In a 
communication other than the VPN, precise security can be 
ensured by the firewall. 
[Brief Explanation of the Drawings] 

[Fig. 1] Fig. 1 is a structural view of a system in the 
embodiment of the present invention. 

[Fig. 2] Fig. 2 shows an inner structure of a packet filter 
in a embodiment of the present invention. 

[Fig. 3] Fig. 3 is a detailed explanatory view of a packet 
transfer means in an embodiment of the present invention. 
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[Fig. 4] Fig. 4 is a detailed explanatory view of a packet 
distribution means in an embodiment of the present invention. 
[Fig. 5] Fig. 5 is an explanatory view of a data packet to 
which authentication information added. 

[Fig. 6] Fig. 6 shows a sequence of a processing operation 
on a transmitting side in an embodiment of the present 
invention . 

[Fig. 7] Fig. 7 shows a sequence of a processing operation 
on a receiving side in an embodiment of the present 
invention . 

[Fig. 8] Fig. 8 is another explanatory view of an 
authentication key storage means in an embodiment of the 
present invention . 

[Fig. 9] Fig. 9 is another explanatory view of an 
authentication key storage means in an embodiment of the 
present invention . 

[Fig. 10] Fig. 10 is a structural view of a system to which 
an authentication server is added in an embodiment of the 
present invention . 

[Fig. 11] Fig. 11 is another structural view of a packet 
filter . 

[Fig. 12] Fig. 12 is a structural view showing a prior art 
using a firewall. 

[Fig. 13] Fig. 13 is an inner structural view of a firewall 
of a prior art. 

[Fig. 14] Fig. 14 shows a structure of a packet filter. 
[Explanation of Codes] 

101. ..private network, 102. ..packet filter, 103. ..public network, 
1 04... computer , 105. ..inner router, 106. ..firewall, 107. ..direct 
route, 108. ..firewall route, 201. ..packet transfer means, 
202. ..packet distribution means, 203. ..authentication key 
storage means, 204. ..authentication key setting means, 
301. ..route determination means, 302. ..authentication 
information generation means, 303. ..authentication information 
addition means, 401. ..packet determination means, 
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402. ..authentication information check means, 

403. ..authentication information deletion means, 

501. ..destination address, 502. ..source address, 503. ..port 

number, 504. ..control data, 505. ..control header, 

506. ..authentication information, 507. ..data, 

1001. ..authentication server, 10 10. ..storage means, 1011. ..packet 
filter authentication means, 1012. ..authentication key 
transmission means, 1301. ..connection management means, 
1302. ..decoding means, 1303. ..connection management means, 
1304. ..application management means, 1305. ..connection 
management table A, 1306. ..connection management table B, 
1307.. .data packet. 
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